[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure
Igor Sousa
igorvolt at gmail.com
Wed Aug 7 22:17:37 UTC 2019
Hello everybody,
I've had a samba environment with the following "brief" description:
- There are 2 DC (*samba4 *and *samba4bkp*) running samba version 4.1.6
on my domain (*SMB*). DNS back end is Samba Internal DNS;
- I've added a new DC (*king*) running samba version 4.10.2 and as DC
to *SMB *domain with BIND9 DNS Back End;
- *king* has updated dns zones and I've checked it;
- *king *has got resolve *SMB* domain names;
- *samba4bkp* has broken and I've lost its disks. Then I've followed
steps described on
https://blogs.technet.microsoft.com/canitpro/2016/02/17/step-by-step-removing-a-domain-controller-server-manually/
to
remove *samba4bkp* manually.
After remove *samba4bkp, *I've checked *samba4* dns zones and they are ok,
but *king *still has maintained *samba4bkp* registers. Then I've tried to
update dns entries running *samba_dnsupdate --verbose --all-names* and it
has returned that all 28 entries failed to updated, as shown below.
I've searched about similar error "; TSIG error with server: tsig verify
failure", but I've been unsuccessful.
Regards!
--
Igor Sousa
*samba_dnsupdate output:*
[root at king ~]# samba_dnsupdate --verbose --all-names
IPs: ['10.41.20.67']
force update: A king.smb 10.41.20.67
force update: NS smb king.smb
force update: NS _msdcs.smb king.smb
force update: A smb 10.41.20.67
force update: SRV _ldap._tcp.smb king.smb 389
force update: SRV _ldap._tcp.dc._msdcs.smb king.smb 389
force update: SRV
_ldap._tcp.6be160cc-cf53-4c79-a088-b81267a01ec2.domains._msdcs.smb king.smb
389
force update: SRV _kerberos._tcp.smb king.smb 88
force update: SRV _kerberos._udp.smb king.smb 88
force update: SRV _kerberos._tcp.dc._msdcs.smb king.smb 88
force update: SRV _kpasswd._tcp.smb king.smb 464
force update: SRV _kpasswd._udp.smb king.smb 464
force update: CNAME 46a2e9f2-ad5c-4a7b-a8da-833fe45ad885._msdcs.smb king.smb
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.smb king.smb 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.smb
king.smb 389
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.smb
king.smb 88
force update: SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 88
force update: A gc._msdcs.smb 10.41.20.67
force update: SRV _gc._tcp.smb king.smb 3268
force update: SRV _ldap._tcp.gc._msdcs.smb king.smb 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.smb king.smb 3268
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.smb
king.smb 3268
force update: A DomainDnsZones.smb 10.41.20.67
force update: SRV _ldap._tcp.DomainDnsZones.smb king.smb 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smb king.smb 389
force update: A ForestDnsZones.smb 10.41.20.67
force update: SRV _ldap._tcp.ForestDnsZones.smb king.smb 389
force update: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smb king.smb 389
28 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
update(nsupdate): A king.smb 10.41.20.67
Calling nsupdate for A king.smb 10.41.20.67 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
king.smb. 900 IN A 10.41.20.67
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): NS smb king.smb
Calling nsupdate for NS smb king.smb (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
smb. 900 IN NS king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): NS _msdcs.smb king.smb
Calling nsupdate for NS _msdcs.smb king.smb (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_msdcs.smb. 900 IN NS king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A smb 10.41.20.67
Calling nsupdate for A smb 10.41.20.67 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
smb. 900 IN A 10.41.20.67
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.smb king.smb 389
Calling nsupdate for SRV _ldap._tcp.smb king.smb 389 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.smb. 900 IN SRV 0 100 389 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.dc._msdcs.smb king.smb 389
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.smb king.smb 389 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.smb. 900 IN SRV 0 100 389 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.6be160cc-cf53-4c79-a088-b81267a01ec2.domains._msdcs.smb king.smb
389
Calling nsupdate for SRV
_ldap._tcp.6be160cc-cf53-4c79-a088-b81267a01ec2.domains._msdcs.smb king.smb
389 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.6be160cc-cf53-4c79-a088-b81267a01ec2.domains._msdcs.smb. 900 IN
SRV 0 100 389 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._tcp.smb king.smb 88
Calling nsupdate for SRV _kerberos._tcp.smb king.smb 88 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.smb. 900 IN SRV 0 100 88 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._udp.smb king.smb 88
Calling nsupdate for SRV _kerberos._udp.smb king.smb 88 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.smb. 900 IN SRV 0 100 88 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._tcp.dc._msdcs.smb king.smb 88
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.smb king.smb 88 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.smb. 900 IN SRV 0 100 88 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kpasswd._tcp.smb king.smb 464
Calling nsupdate for SRV _kpasswd._tcp.smb king.smb 464 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.smb. 900 IN SRV 0 100 464 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kpasswd._udp.smb king.smb 464
Calling nsupdate for SRV _kpasswd._udp.smb king.smb 464 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.smb. 900 IN SRV 0 100 464 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): CNAME 46a2e9f2-ad5c-4a7b-a8da-833fe45ad885._msdcs.smb
king.smb
Calling nsupdate for CNAME 46a2e9f2-ad5c-4a7b-a8da-833fe45ad885._msdcs.smb
king.smb (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
46a2e9f2-ad5c-4a7b-a8da-833fe45ad885._msdcs.smb. 900 IN CNAME king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.smb
king.smb 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.smb
king.smb 389 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.smb. 900 IN SRV 0 100 389
king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 389 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.smb. 900 IN SRV 0 100
389 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._tcp.Default-First-Site-Name._sites.smb
king.smb 88
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.smb
king.smb 88 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.smb. 900 IN SRV 0 100 88
king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 88
Calling nsupdate for SRV
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.smb king.smb 88
(add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.smb. 900 IN SRV 0
100 88 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A gc._msdcs.smb 10.41.20.67
Calling nsupdate for A gc._msdcs.smb 10.41.20.67 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.smb. 900 IN A 10.41.20.67
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _gc._tcp.smb king.smb 3268
Calling nsupdate for SRV _gc._tcp.smb king.smb 3268 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.smb. 900 IN SRV 0 100 3268 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.gc._msdcs.smb king.smb 3268
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.smb king.smb 3268 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.smb. 900 IN SRV 0 100 3268 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _gc._tcp.Default-First-Site-Name._sites.smb king.smb
3268
Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.smb
king.smb 3268 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.smb. 900 IN SRV 0 100 3268 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.smb king.smb 3268
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.smb king.smb 3268 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.smb. 900 IN SRV 0 100
3268 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A DomainDnsZones.smb 10.41.20.67
Calling nsupdate for A DomainDnsZones.smb 10.41.20.67 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.smb. 900 IN A 10.41.20.67
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.DomainDnsZones.smb king.smb 389
Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.smb king.smb 389 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.smb. 900 IN SRV 0 100 389 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smb king.smb 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smb king.smb 389
(add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smb. 900 IN SRV0
100 389 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A ForestDnsZones.smb 10.41.20.67
Calling nsupdate for A ForestDnsZones.smb 10.41.20.67 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.smb. 900 IN A 10.41.20.67
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.ForestDnsZones.smb king.smb 389
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.smb king.smb 389 (add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.smb. 900 IN SRV 0 100 389 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smb king.smb 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smb king.smb 389
(add)
Successfully obtained Kerberos ticket to DNS/samba4.smb as KING$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smb. 900 IN SRV0
100 389 king.smb.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 28 entries
More information about the samba
mailing list